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DATA PROTECTION ACT 1998 
SUPERVISORY POWERS OF THE INFORMATION COMMISSIONER 


MONETARY PENALTY NOTICE 


To: Koypo Laboratories Limited 
Of: United House, North Road, London, N7 9DP 


1. The Information Commissioner (“Commissioner”) has decided to issue 
Koypo Laboratories Limited (“Koypo”) with a monetary penalty under 
section 55A of the Data Protection Act 1998 (“DPA”). The penalty is in 
relation to a serious contravention of Regulation 22 of the Privacy and 


Electronic Communications (EC Directive) Regulations 2003 (“PECR”). 
2, This notice explains the Commissioner’s decision. 


Legal framework 


ce Koypo, whose registered office is given above (Companies House 
registration number: 10024201), is the organisation stated in this 
notice to have instigated the transmission of unsolicited 
communications by means of electronic mail to individual subscribers 


for the purposes of direct marketing contrary to regulation 22 of PECR. 


4. Regulation 22 of PECR states: 
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“(1) This regulation applies to the transmission of unsolicited 


communications by means of electronic mail to individual 


subscribers. 


(2) Except in the circumstances referred to in paragraph (3), a person 
shall neither transmit, nor instigate the transmission of, unsolicited 
communications for the purposes of direct marketing by means of 
electronic mail unless the recipient of the electronic mail has 
previously notified the sender that he consents for the time being 
to such communications being sent by, or at the instigation of, the 


sender. 


(3) A person may send or instigate the sending of electronic mail for 


the purposes of direct marketing where— 


(a) that person has obtained the contact details of the recipient 
of that electronic mail in the course of the sale or 
negotiations for the sale of a product or service to that 


recipient; 


(b) the direct marketing is in respect of that person’s similar 


products and services only; and 


(c) the recipient has been given a simple means of refusing 
(free of charge except for the costs of the transmission of 
the refusal) the use of his contact details for the purposes 
of such direct marketing, at the time that the details were 
initially collected, and, where he did not initially refuse the 
use of the details, at the time of each subsequent 


communication. 


(4) A subscriber shall not permit his line to be used in contravention of 


paragraph (2).” 
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Section 11(3) of the DPA defines “direct marketing” as “the 
communication (by whatever means) of any advertising or marketing 


material which is directed to particular individuals”. This definition also 


applies for the purposes of PECR (see regulation 2(2)). 


“Electronic mail’ is defined in regulation 2(1) PECR as “any text, voice, 
sound or image message sent over a public electronic communications 
network which can be stored in the network or in the recipient's 
terminal equipment until it is collected by the recipient and includes 


messages sent using a short message service”. 


A “subscriber” is defined in regulation 2(1) of PECR as “a person who is 
a party to a contract with a provider of public electronic 


communications services for the supply of such services”. 


The term “soft opt-in” is used to describe the rule set out in in 
Regulation 22(3) of PECR. In essence, an organisation may be able to 
e-mail its existing customers even if they haven't specifically consented 
to electronic mail. The soft opt-in rule can only be relied upon by the 


organisation that collected the contact details. 


Section 55A of the DPA (as amended by the Privacy and Electronic 
Communications (EC Directive)(Amendment) Regulations 2011 and the 
Privacy and Electronic Communications (EC Directive) (Amendment) 
Regulations 2015) states: 


“(1) The Commissioner may serve a person with a monetary penalty if 


the Commissioner is satisfied that - 


(a) there has been a serious contravention of the requirements 
of the Privacy and Electronic Communications (EC 


Directive) Regulations 2003 by the person, and 
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(b) subsection (2) or (3) applies. 
(2) This subsection applies if the contravention was deliberate. 


(3) This subsection applies if the person - 


(a) knew or ought to have known that there was a risk that 


the contravention would occur, but 


(b) failed to take reasonable steps to prevent the 


contravention.” 


The Commissioner has issued statutory guidance under section 55C (1) 
of the DPA about the issuing of monetary penalties that has been 
published on the ICO’s website. The Data Protection (Monetary 
Penalties) (Maximum Penalty and Notices) Regulations 2010 prescribe 
that the amount of any penalty determined by the Commissioner must 
not exceed £500,000. 


PECR implements European legislation (Directive 2002/58/EC) aimed at 
the protection of the individual's fundamental right to privacy in the 
electronic communications sector. PECR was amended for the purpose 
of giving effect to Directive 2009/136/EC which amended and 
strengthened the 2002 provisions. The Commissioner approaches PECR 


so as to give effect to the Directives. 
The provisions of the DPA remain in force for the purposes of PECR 
notwithstanding the introduction of the Data Protection Act 2018 (see 


paragraph 58(1) of Part 9, Schedule 20 of that Act). 


Background to the case 
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Koypo is lead generator specialising in scientific customer acquisition. 


It utilises click to lead conversion systems to supply third parties with 


data leads obtained via its websites. 


In February 2018 the Commissioner became aware of a number of 
complaints having being received by her about Koypo and its ‘Simple 


PPI Claims’ brand sending unsolicited marketing in the form of e-mails. 


The Commissioner wrote to Koypo on 9 March 2018, providing details 
of the complaints made. The letter also requested information about 
the volume of e-mail marketing messages sent, the source of the data 
to send the e-mails and its evidence of consent to send the e-mails to 
the individuals who had made complaints. Koypo were warned that the 
Commissioner could issue civil monetary penalties of up to £500,000 
for PECR breaches. 


Koypo advised that they had not sent any e-mails during the period in 
question but had instead relied upon a network of 61 affiliates, and in 
some circumstances sub affiliates, to send marketing on its behalf. As 
they had not sent the e-mails directly they stated that they were 
unable to access volume information but provided a breakdown of ‘click 
volumes’ generated by each affiliate. They also advised that they were 
unable to access evidence of consent as they would require the original 
email to identify the affiliate it originated from. Their response also 


advised that Koypo had paused their email marketing campaigns. 


It was clear to the Commissioner that Koypo were engaging in ‘hosted 
marketing’. This term describes the practice of an organisation sending 
direct marketing e-mails to their own database, however the marketing 
material found in the email relates to a third party. Whilst the third 


party, in this case Koypo, is not the sender of these e-mails they are 
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the instigator and so would require explicit permission that the 


recipients want to receive these e-mails before they are sent. 


Having reviewed Koypo’s response the Commissioner requested further 
information on 23 March 2018 in order to discover the identity of the 
affiliates, volumes of e-mails sent and to again request evidence of 
consent in relation to the identified complaints. Responses received 
from Koypo on 4 April 2018 and 21 May 2018 advised that e-mails sent 
between 1 March 2017 and 31 March 2018 were sent by four affiliates 
on their behalf. During that time Koypo estimated that 22,056,029 e- 
mails had been sent by the affiliates. Koypo again told the 
Commissioner that they were unable to provide evidence of consent for 


the complaints received. 


Koypo explained in further exchanges of correspondence with the 
Commissioner between July 2018 and May 2019 the due diligence 
requirements applied to their identified affiliates. They provided links to 
their affiliates privacy policies and fair processing information where 
available. They explained that they were unable to advise of the 
precise number of e-mails received by individuals from each affiliate. 
They instead provided bounce back rates for each affiliate, that is, the 
percentage of the e-mails sent which failed to be accepted by the end 
users server. Based on the rates provided a total estimated number of 
21,166,574 marketing e-mails were received by individuals. This 


number was confirmed by Koypo on 20 May 2019. 


The Commissioner reviewed the policies and information in place at the 
time of the contravention and identified that the websites where 
consent was obtained did not name Kyopo or make it clear that user’s 
may receive marketing about a PPI claims company. The sites relied on 
providing consent to ‘third parties’ and ‘partners’ however these were 


not tightly defined and were too general to demonstrate valid consent. 
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Koypo provided examples of e-mails sent by the affiliates which 


contained solely Koypo branding in the form of simpleppiclaims.co.uk. 


Koypo was consequently unable to evidence that the individuals to 
whom direct marketing messages had been sent had consented to 


receipt of the messages. 


The Commissioner has made the above findings of fact on the 


balance of probabilities. 


The Commissioner has considered whether those facts constitute 
a contravention of regulation 22 of PECR by Koypo and, if so, whether 


the conditions of section 55A DPA are satisfied. 
The contravention 


The Commissioner finds that Koypo has contravened regulation 22 of 
PECR. 


The Commissioner finds that the contravention was as follows: 


Between 1 March 2017 and 31 March 2018, Koypo instigated the 
transmission of 21,166,574 unsolicited communications by means of 
electronic mail to individual subscribers for the purposes of direct 


marketing contrary to regulation 22 of PECR. 


Koypo, as the instigator of the direct marketing, is required to ensure 
that it is acting in compliance with the requirements of regulation 22 of 


PECR, and to ensure that sufficient consent had been acquired. 
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“Consent” within the meaning of regulation 22(2) requires that the 


recipient of the electronic mail has notified the sender that he consents 


to messages being sent by, or at the instigation of, that sender. 


In this case the Commissioner is satisfied that Koypo did not have the 
consent, within the meaning of regulation 22(2), of the 21,166,574 
subscribers to whom it had instigated the sending of unsolicited direct 


marketing messages. 


The Commissioner is satisfied that Koypo was responsible for this 


contravention. 


The Commissioner has gone on to consider whether the conditions 


under section 55A DPA were met. 
Seriousness of the contravention 


The Commissioner is satisfied that the contravention identified 
above was serious. This is because between 1 March 2017 and 31 
March 2018 Koypo sent a total of 21,166,574 direct marketing 


messages to subscribers without their consent. 


In addition, Koypo also instigated the sending of a further 889,455 
marketing messages. Although these were not received by individuals, 
it evidences an attempt to send large volumes of marketing messages 


to individuals without consent to do so. 


The Commissioner is therefore satisfied that condition (a) from 
section 55A(1) DPA is met. 


Deliberate or negligent contraventions 
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The Commissioner has considered whether the contravention identified 
above was deliberate. In the Commissioner’s view, this means that the 
Koypo’s actions which constituted that contravention were deliberate 
actions (even if Koypo did not actually intend thereby to contravene 
PECR). 


The Commissioner considers that in this case Koypo did not 


deliberately contravene regulation 22 of PECR in that sense. 


The Commissioner had gone on to consider whether the contraventions 


identified above were negligent. 


First, the Commissioner has considered whether Koypo knew or ought 
to reasonably have known that there was a risk that these 
contraventions would occur. She is satisfied that this condition is met 
given that Koypo is involved in a business reliant on direct marketing, 
and the fact that the issue of unsolicited messages has been widely 
publicised by the media as being a problem. In addition, Koypo have 
held a valid data protection register entry since 5 April 2016. They 
should therefore be aware of the Commissioner’s available guidance 


and of their obligations under PECR. 


Furthermore, the Commissioner has published detailed guidance for 
those carrying out direct marketing explaining their legal obligations 
under PECR. This guidance explains the circumstances under which 
organisations are able to carry out marketing over the phone, by text, 
by e-mail, by post, or by fax. In particular it states that organisations 
can generally only send marketing messages to individuals if that 


person has specifically consented to receiving them from the sender. 
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It is therefore reasonable to suppose that Koypo knew or ought 


reasonably to have known that there was a risk that these 


contraventions would occur. 


Secondly, the Commissioner has gone on to consider whether Koypo 


failed to take reasonable steps to prevent the contraventions. 


Organisations contracting with third parties to carry out marketing for 
them must make rigorous checks to satisfy themselves that the third 
party has obtained the data it is using fairly and lawfully, and that they 
have the necessary consent. Organisations must ensure that consent 
was validly obtained, that it was reasonably recent, and that it clearly 
extended to them specifically or to organisations fitting their 
description. It is not acceptable to rely on assurances of indirect 


consent without undertaking proper due diligence. 


Indirect consent can be achieved in circumstances that are clear and 
specific enough, if a third party is specifically named at the point of 
data collection so that an individual would reasonably expect their data 


to be shared with or to receive marketing from a third party. 


In this case Koypo was unable to provide evidence that it had 
undertaken appropriate due diligence in this case. The e-mails sent on 
behalf of Koypo contained only Koypo branding and do not explain who 
the sender is. It is therefore unclear to the individuals why they are 
receiving this marketing communication. For consent to be valid it 
must be freely given, specific and informed, an individual must know 
what they are consenting to and be given clear instruction on what that 


consent means. 


Contracts in place between Koypo and its affiliates make no mention of 
data use or controls. When asked by the Commissioner to provide 


evidence of consent, Koypo were unable to retrieve it without the 
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specific e-mails sent to an individual. Whilst Koypo advised the 
Commissioner that they verify consent by asking their affiliates for opt 


in proofs at random times there is no written evidence of any other due 


diligence checks being carried out by Koypo. 


The Commissioner's direct marketing guidance is clear that 
organisations should keep clear records of what an individual has 
consented to, and when and how this consent was obtained, so that 


they can demonstrate compliance in the event of a complaint. 


In the circumstances, the Commissioner is satisfied that Koypo failed to 


take reasonable steps to prevent the contraventions in this case. 


The Commissioner is therefore satisfied that condition (b) from section 
55A (1) DPA is met. 


The amount of the penalty the Commissioner proposes to 
impose 


The Commissioner has taken into account the following mitigating 


feature of this case: 


Koypo have advised the Commissioner that they have instructed a law 
firm to develop procedures with regards to the compliant handling of 
data. 


Koypo have suspended their email marketing campaigns at present 
though they have not advised whether they intend to begin email 


marketing again. 
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The Commissioner has taken into account the following aggravating 


features of this case: 


The conduct of the business was being carried out to generate leads via 
affiliate marketing programming. Affiliates operate incentivised 
marketing where they are paid for results or leads generated, 


encouraging higher rates of unsolicited marketing. 


Advice and guidance is published on the Commissioner's website and is 
also available through her advice services. There is also guidance and 
advice provided by trading bodies such as the Direct Marketing 


Association. 


For the reasons explained above, the Commissioner is satisfied that the 
conditions from section 55A (1) DPA have been met in this case. She is 
also satisfied that the procedural rights under section 55B have been 


complied with. 


The latter has included the issuing of a Notice of Intent, in which the 
Commissioner set out her preliminary thinking. Upon receiving the 
Notice of Intent, Koypo submitted representations which were 
considered by the Commissioner when considering whether to exercise 


her discretion to issue a monetary penalty. 


The Commissioner is accordingly entitled to issue a monetary penalty 


in this case. 


The Commissioner has considered whether, in the circumstances, she 


should exercise her discretion so as to issue a monetary penalty. 
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The Commissioner has considered the likely impact of a monetary 
penalty on Koypo. She has decided on that information that is available 
to her, that Koypo has access to sufficient financial resources to pay 


the proposed monetary penalty without causing undue financial 


hardship. 


The Commissioner's underlying objective in imposing a monetary 
penalty notice is to promote compliance with PECR. The sending of 
unsolicited marketing emails is a matter of significant public concern. A 
monetary penalty in this case should act as a general encouragement 
towards compliance with the law, or at least as a deterrent against 
non-compliance, on the part of all persons running businesses currently 
engaging in these practices. The issuing of a monetary penalty will 
reinforce the need for businesses to ensure that they are only 


messaging those who specifically consent to receive marketing. 


For these reasons, the Commissioner has decided to issue a monetary 


penalty in this case. 


The amount of the penalty 


Taking into account all of the above, the Commissioner has decided 
that a penalty in the sum of £100,000 (One hundred thousand 
pounds) is reasonable and proportionate given the particular facts of 


the case and the underlying objective in imposing the penalty. 
nclusion 
The monetary penalty must be paid to the Commissioner’s office by 


BACS transfer or cheque by 4 September 2020 at the latest. The 


monetary penalty is not kept by the Commissioner but will be paid into 
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the Consolidated Fund which is the Government’s general bank account 
at the Bank of England. 


If the Commissioner receives full payment of the monetary penalty by 
3 September 2020 the Commissioner will reduce the monetary 
penalty by 20% to £80,000 (Eighty thousand pounds). However, 
you should be aware that the early payment discount is not available if 


you decide to exercise your right of appeal. 


There is a right of appeal to the First-tier Tribunal (Information Rights) 


against: 


(a) the imposition of the monetary penalty 
and/or; 

(b) the amount of the penalty specified in the monetary penalty 
notice. 


Any notice of appeal should be received by the Tribunal within 28 days 


of the date of this monetary penalty notice. 
Information about appeals is set out in Annex 1. 


The Commissioner will not take action to enforce a monetary penalty 


unless: 


e the period specified within the notice within which a monetary 
penalty must be paid has expired and all or any of the monetary 


penalty has not been paid; 


e all relevant appeals against the monetary penalty notice and any 


variation of it have either been decided or withdrawn; and 
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e the period for appealing against the monetary penalty and any 


variation of it has expired. 


65. In England, Wales and Northern Ireland, the monetary penalty is 
recoverable by Order of the County Court or the High Court. In 
Scotland, the monetary penalty can be enforced in the same manner as 
an extract registered decree arbitral bearing a warrant for execution 


issued by the sheriff court of any sheriffdom in Scotland. 


Dated the 4th day of August 2020 


Andy Curry 

Head of Investigations (Civil) 
Information Commissioner’s Office 
Wycliffe House 

Water Lane 

Wilmslow 

Cheshire 

SK9 SAF 
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ANNEX 1 


SECTION 55 A-E OF THE DATA PROTECTION ACT 1998 
RIGHTS OF APPEAL AGAINST DECISIONS OF THE COMMISSIONER 


1. Section 55B(5) of the Data Protection Act 1998 gives any person upon 
whom a monetary penalty notice has been served a right of appeal to 
the First-tier Tribunal (Information Rights) (the ‘Tribunal’) against the 
notice. 


2: If you decide to appeal and if the Tribunal considers:- 


a) that the notice against which the appeal is brought is not in 


accordance with the law; or 


b) to the extent that the notice involved an exercise of discretion by 
the Commissioner, that she ought to have exercised her 


discretion differently, 


the Tribunal will allow the appeal or substitute such other decision as 
could have been made by the Commissioner. In any other case the 


Tribunal will dismiss the appeal. 


3. You may bring an appeal by serving a notice of appeal on the Tribunal 


at the following address: 


General Regulatory Chamber 
HM Courts & Tribunals Service 
PO Box 9300 

Leicester 


a) 


b) 


ICO. 
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LE1 8DJ 


Telephone: 0300 123 4504 
Email: grc@justice.gov.uk 


The notice of appeal should be sent so it is received by the 
Tribunal within 28 days of the date of the notice. 


If your notice of appeal is late the Tribunal will not admit it 
unless the Tribunal has extended the time for complying with this 


rule. 


The notice of appeal should state:- 


a) 


b) 


C) 


d) 


e) 


f) 


g) 


your name and address/name and address of your representative 


(if any); 


an address where documents may be sent or delivered to you; 


the name and address of the Information Commissioner; 


details of the decision to which the proceedings relate; 


the result that you are seeking; 


the grounds on which you rely; 


you must provide with the notice of appeal a copy of the 


monetary penalty notice or variation notice; 
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h) if you have exceeded the time limit mentioned above the notice 


of appeal must include a request for an extension of time and the 


reason why the notice of appeal was not provided in time. 


Before deciding whether or not to appeal you may wish to consult your 
solicitor or another adviser. At the hearing of an appeal a party may 
conduct his case himself or may be represented by any person whom 


he may appoint for that purpose. 


The statutory provisions concerning appeals to the First-tier Tribunal 
(Information Rights) are contained in section 55B(5) of, and Schedule 
6 to, the Data Protection Act 1998, and Tribunal Procedure (First-tier 
Tribunal) (General Regulatory Chamber) Rules 2009 (Statutory 
Instrument 2009 No. 1976 (L.20)). 


